name: Prebuild check

on:
 push:
   branches:
     - master

jobs:
  sast:
      name: SAST
      runs-on: ubuntu-20.04
      container:
        image: returntocorp/semgrep

      steps:
        - name: clone repo
          run: |
            git clone https://gitverse.ru/sc/kremls/VulnApp.git

        - name: full scan
          run: |
            semgrep \
              --metrics=off \
              --config="VulnApp/rules/rule_id01.yaml" \
              --config="p/default" \
            VulnApp --exclude=rule_id*.yaml \

  sca:
      name: SCA
      runs-on: ubuntu-20.04
      container:
        image: aquasec/trivy:latest
      steps:
        - name: clone repo
          run: |
            git clone https://gitverse.ru/sc/kremls/VulnApp.git

        - name: Run Trivy vulnerability scanner in repo mode
          run: |
            trivy fs --scanners vuln,secret,misconfig -f table .